Details
Description
After enabling iceberg metastore within a kerberized hadoop cluster and enabled impersonation, i have to give all users full access to the metastore directory in hdfs.
If not, i get an Permission denied when a non-admistator tries to call
analyze table hdfs.`dataset` refresh metadata
I attached the profile with the permission denied error from hdfs/ranger.
Im not sure if i should call this a bug, because drill should impersonate everything, and so its also impersonating the iceberg metastore. But as an admin i dont want to give all users full write access to the metastore. A unexperienced user could accidentally overwrite something and corrupt the iceberg table or delete metadata completly.
Maybe we could add a option to drill-metastore-overwrite.conf
drill.metastore: { implementation.class: "org.apache.drill.metastore.iceberg.IcebergMetastore", iceberg: { location: { relative_path: "hdfs://nameservice/drill-metastore" }, impersonation: { enabled: true, max_chained_user_hops: 3 } } }
In my case, i would of course disable it, but to match the behaviour of the general impersonation it could look like this.